Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1156250ybl; Fri, 10 Jan 2020 13:08:59 -0800 (PST) X-Google-Smtp-Source: APXvYqx3qHB8D8rSF/6HSNTs7LYQWVW5xWeBwShGyL8voErAZlQgzrnLqUOE/pYwcBGmFXi93/3L X-Received: by 2002:a05:6830:10a:: with SMTP id i10mr4018714otp.365.1578690539046; Fri, 10 Jan 2020 13:08:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578690539; cv=none; d=google.com; s=arc-20160816; b=CJ/0pXu1QXQXaWdGEbPgD3ZDv9EJM8JBSgBzw2olQYKdmsjoa9Jwf3MFHZlCiftpCh 7pc+fu0uNyceKRdVbPwVLo7oriKT2nGRjSLkPW2uXjrBbgdMQOY7cI621HC3hacqdyH7 cL2lRmMrogvuJI0MOzAd3JWXdxVOgesVgmbqwFj6eC4kwjWurmYynYZFtgdaVwV/7h/U 6gKdP89epzo1oDAiMUfKCKKyAYM2WUyWbLyvPgj2q33GyHTG9gHvyGDrm74G3v8w3fcY a/deJpk6jI3iaHL8zlWFNyn16pV9Csf7gobKF1ZEKv3/+E/OMTaqhMypR0G7Uzy4UMr9 E7pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=F8U1TODNE6xt2jlCcTN2XwyD/crmnN8ciqYwytpl3+0=; b=mdowpnDwDc9tKSFzSmEZ6lQz36Mg3azOM/+/ivwprPTMoga3vtwVS7SQTKseSC4EBa I3Tw84VUaO5PbMzDfm+RN6SFzNjUmOAtp12Ui+CzqoyxDwvNeKg5aMgiVZ3KEf+pvg7H whk/aY5ifjUINfKQ18G5dvksm3jyQucnNQwkQdt0Ibasm18EFkRixVeN0u9RUgKjiu1e focPJ/prU4in1DwCtM6KWZRFbHimPtSnDDqLmpeULeLkaZynoT5v2IDRzf4XglvVqUXD 18bnxe1H0HpT+6A5WA5v8EmbKdCTWhoMbYsw/QeApjsgMuvkBqOmQZsjU76KtbnbdDjw 3tAA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l204si1603370oif.261.2020.01.10.13.08.46; Fri, 10 Jan 2020 13:08:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727078AbgAJVHn (ORCPT + 99 others); Fri, 10 Jan 2020 16:07:43 -0500 Received: from mout-p-102.mailbox.org ([80.241.56.152]:23372 "EHLO mout-p-102.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726842AbgAJVHm (ORCPT ); Fri, 10 Jan 2020 16:07:42 -0500 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 47vbCv5hSczKmhn; Fri, 10 Jan 2020 22:07:39 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter01.heinlein-hosting.de (spamfilter01.heinlein-hosting.de [80.241.56.115]) (amavisd-new, port 10030) with ESMTP id hIHoHiMQzTgm; Fri, 10 Jan 2020 22:07:33 +0100 (CET) Date: Sat, 11 Jan 2020 08:07:19 +1100 From: Aleksa Sarai To: Linus Torvalds Cc: Al Viro , David Howells , Eric Biederman , stable , Christian Brauner , Serge Hallyn , dev@opencontainers.org, Linux Containers , Linux API , linux-fsdevel , Linux Kernel Mailing List , Ian Kent Subject: Re: [PATCH RFC 0/1] mount: universally disallow mounting over symlinks Message-ID: <20200110210719.ktg3l2kwjrdutlh6@yavin> References: <20191230072959.62kcojxpthhdwmfa@yavin.dot.cyphar.com> <20200101004324.GA11269@ZenIV.linux.org.uk> <20200101005446.GH4203@ZenIV.linux.org.uk> <20200101030815.GA17593@ZenIV.linux.org.uk> <20200101144407.ugjwzk7zxrucaa6a@yavin.dot.cyphar.com> <20200101234009.GB8904@ZenIV.linux.org.uk> <20200102035920.dsycgxnb6ba2jhz2@yavin.dot.cyphar.com> <20200103014901.GC8904@ZenIV.linux.org.uk> <20200108031314.GE8904@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ngr34thsixezvd7j" Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --ngr34thsixezvd7j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2020-01-07, Linus Torvalds wrote: > On Tue, Jan 7, 2020 at 7:13 PM Al Viro wrote: > > Another interesting question is whether we want O_PATH open > > to trigger automounts. >=20 > It does sound like they shouldn't, but as you say: >=20 > > The thing is, we do *NOT* trigger them > > (or traverse mountpoints) at the starting point of lookups. > > I believe it's a mistake (and mine, at that), but I doubt that > > there's anything that can be done about it at that point. > > It's a user-visible behaviour [..] >=20 > Hmm. I wonder how set in stone that is. We may have two decades of > history of not doing it at start point of lookups, but we do *not* > have two decades of history of O_PATH. >=20 > So what I think we agree would be sane behavior would be for O_PATH > opens to not trigger automounts (unless there's a slash at the end, > whatever), but _do_ add the mount-point traversal to the beginning of > lookups. >=20 > But only do it for the actual O_PATH fd case, not the cwd/root/non-O_PATH= case. >=20 > That way we maintain original behavior: if somebody overmounts your > cwd, you still see the pre-mount directory on lookups, because your > cwd is "under" the mount. >=20 > But if you open a file with O_PATH, and somebody does a mount > _afterwards_, the openat() will see that later mount and/or do the > automount. >=20 > Don't you think that would be the more sane/obvious semantics of how > O_PATH should work? If I'm understanding this proposal correctly, this would be a problem for the libpathrs use-case -- if this is done then there's no way to avoid a TOCTOU with someone mounting and the userspace program checking whether something is a mountpoint (unless you have Linux >5.6 and RESOLVE_NO_XDEV). Today, you can (in theory) do it with MNT_EXPIRE: 1. Open the candidate directory. 2. umount2(MNT_EXPIRE) the fd. * -EINVAL means it wasn't a mountpoint when we got the fd, and the fd is a stable handle to the underlying directory. * -EAGAIN or -EBUSY means that it was a mountpoint or became a mountpoint after the fd was opened (we don't care about that, but fail-safe is better here). 3. Use the fd from (1) for all operations. Don't get me wrong, I want to fix this issue *properly* by adding some new kernel features that allow us to avoid worrying about mounts-over-magiclinks -- but on old kernels (which libpathrs cares about) I would be worried about changes like this being backported resulting in it being not possible to implement the hardening I mentioned up-thread. --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --ngr34thsixezvd7j Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQSxZm6dtfE8gxLLfYqdlLljIbnQEgUCXhjnhAAKCRCdlLljIbnQ EhaiAP9e9kkZEWJCnBThFyXtSMRZyNVXHckugjlX6Ia4tELkfwD+KmuEPaDHPZsv ZqHH8TBxEFo6jF26WNsOXtxaBZwFsQ0= =uAob -----END PGP SIGNATURE----- --ngr34thsixezvd7j--